Sophos recently reported about a Trojan that installs a cryptocurrency mining program called NsCpuCNMiner32.exe on an infected computer and then spreads itself to other computers and FTP sites. This mining program will mine the digital coin called Monero, which has become popular among criminal underground sites due to it being less traceable than bitcoin. 

Monero accepted on AlphaBay
Monero accepted on The AlphaBay Underground Site

Of particular note, this Trojan has also spread to almost all Internet connected Seagate Central network attached storage devices. This is because the Seagate Central devices by default have a world writable Public folder that if connected to the Internet allows anyone to store files on it.  When the Trojan is executed it will scan the Internet for FTP sites and attempt to login using common user names and passwords.

As the Seagate Central FTP site allows users to access the Public folder using the anonymous username, the infection is able to upload copies of itself as Photo.scr and Info.zip to the Public folder. The Photo.scr will have an icon that makes it appear as a folder in the hopes that people will double-click on it thinking it is a folder and infect themselves.

Compromised Seagate Central FTP Site
Compromised Seagate Central FTP Site

As part of its self-propogation techniques, the Trojan will also check to see if certain file exist on the compromised FTP sites. If there are, it will modify the following file types so that they include an iframe that points at the Photo.scr executable.

.php,.PHP,.htm,.HTM,.xml,.XML,.dhtm,.DHTM,.phtm,.xht,.htx,.mht,.bml,.asp, .shtm

Then when someone visits the web site, the page will automatically prompt for the download of the Photo.scr executable to spread it further.

The NsCpuCNMiner32 Miner generates a lot of money for the Trojan Devs

Though Sophos' report only indicates that there are 3,150 unique IP addresses associated with this Trojan, it does not mean that malware developers are not making money. According to the report, this software has mined 58,577 XMR, or Monero coins, which at the current rate of $10.99 per XMR equals approximately $640,000 USD.  Furthermore, Sophos states that their current mining power could potentially allow them to create an additional 327.7 more coins, valued at $3,600, a day,

Monero 30 Day Price Chart - Source: https://www.coingecko.com
Monero 30 Day Price Chart - Source: https://www.coingecko.com

As can be seen by the price chart above, Monero has seen significant growth over the past month. Whether this is due to its acceptance by the criminal underground is unknown, but if criminals decide to switch to Monero for ransomware payments it could push the price even higher.

Mining Trojans can cause actual damage to a Computer

When this Trojan mines Monero coins, it will use the victim's CPU processing power. It does this by extracting the NsCpuCNMiner32.exe to the victim's %Temp% folder and then executing it with the following command:

%Temp%\NsCpuCNMiner32.exe  -dbg -1 -o stratum+tcp://mine.moneropool.com:3333 -t 1 -u 44puJ9e27jyKc1et48J7SZLQ4pDcos96c6u84vcwHgCCce1TYqXxzpyR3gY793D9mKGEY7WjtC6TKA7eDbtvfrgGHoDNBGx -p x

Once started, the miner will use as much of the computer's CPU power at all times!

NsCpuCNMiner32 using 90% of the CPU
NsCpuCNMiner32 using 90% of the CPU

Not only does this cause the computer to become almost unusable, but could also cause damage to the processor due to the heat generated and its constant use.  Therefore, it is important that victims remove this Trojan as soon as possible.